Serving the energy industry for over 30 years
By - Jon Brown

Mandatory Utility Supply Chain Compliance – NERC CIP 013 & BES Executive Order
A Comprehensive Overview with a Focus on Compliance, Cost, Risk and Preparedness
September 10, 2020 | Online :: Central Time

Download PDFPrint Event Details
 

Overview

The convergence of the requirements of NERC under CIP 013-1 and the new demands coming from both the White House BES Executive Order and DOE guidance has raised questions about liability and compliance mandates for utility supply chain professionals and the vendors/suppliers to the utility industry.

According to CIP 013-1 which begins October 1, 2020, utilities and 3rd party vendors must develop and implement a comprehensive supply chain risk management plan that includes NERC Senior Manager reviews and approvals for their 3rd party suppliers every 15 months. 

This course will take a comprehensive look at these factors. It will address strategies to comply and provide guidance and mechanisms for continued compliance on any new requirements. 

Learning Outcomes

  • Gain a comprehensive overview of NERC CIP 013-1 and the history of NERC CIP standards and how they continue to impact utilities and the industry in general
  • Discover what the specific regulations are, how they must be met, and the process of approval
  • Review how to prepare for the NERC 013-1 review by CIP Senior Managers
  • Explore managing NIST, NERC ISO & other frameworks
  • Evaluate the Risk Ranking methodology
  • Hear from an experienced legal practitioner who was a Senior Manager for the DOE General Counsel’s office on the origins and implications of the White House Bulk Electric System (BES) Executive Order and resulting guidance and regulations promulgated by the Department of Energy
  • Experience how a major worldwide vendor to the utility industry is handling its own internal CIP evaluations and what they are requiring of their own supply chain 3rd party vendors

Credits

AP_Logo

EUCI has been accredited as an Authorized Provider by the International Association for Continuing Education and Training (IACET).  In obtaining this accreditation, EUCI has demonstrated that it  complies with the ANSI/IACET Standard which is recognized internationally as a standard of good practice. As a result of their Authorized Provider status, EUCI is authorized to offer IACET CEUs for its programs that qualify under the ANSI/IACET Standard.

EUCI is authorized by IACET to offer 0.6 CEUs for this event.

Instructional Methods

This program will use PowerPoint presentations and group discussions, as well as active participation.

Requirements for Successful Completion of Program 

You must be logged in for the entire presentation and send in the evaluation after the course is completed.

Agenda

Thursday, September 10, 2020  – Central Time

8:45 – 9:00 a.m. :: Log In

9:00 a.m. – 4:00 p.m. :: Course Timing

12:15 – 1:00 p.m. :: Break for Lunch


A Comprehensive Understanding of the new Utility Supply Chain and 3rd Party Vendor Compliance Frameworks in Development, at Deadline and Expected into the Future

  • History of CIP Standards and how we arrived at this new level of compliance
  • What is the framework and what organizations are involved (we can merge your other original bullet on “Each organization plays a specific role, NERC, NIST, DoE, and ISO” with this one)
  • Adopting a security approach that is risk based vs. compliance driven, while also balancing the need to support and enable business and operational needs

Assess and prioritize supply chain risk, develop required acquisition policies and procedures, and help implement focused supplier and logistics security measures


Technical Presentation on the Process of Compliance

  • What is NERC CIP 013-1 along with previous CIP Cybersecurity Standards informing the new standard?
  • What is the scope of NERC CIP 010-3 as also a new standard?
  • The White House issued an Executive Order regarding 3rd party vendor compliance for the BES, what is it and how is the US DOE involved?
  • Specifically, what portions/products involved in the BES are affected?
  • A description of the process for compliance concerning all the organizations involved in the new regulatory framework
  • What is the bridge for vendor and assets (IT/OT/IoT/IIoT) risk management?
  • The requirement for certifying country of origin demands the creation of compliance scores and guidance from Industry, the Asset to Vendor Network is a non-profit organization ready to assist
  • Cybersecurity will be the major demand from all new standards, how does a utility and vendor prove compliance?
  • How do utilities and vendors bend the O&M curve with assessment & patch sharing?

A Legal Perspective on the New BES Standards

  • The US DOE is now directly involved in providing guidance, standards and regulations. How did this evolve, what role did the White House Executive Order play in jump starting the new process?
  • How will DOE and FERC be involved and what is the expected guidance they will provide?
  • What are the legal ramifications of this new compliance, any penalties, and what are the deadlines and timelines involved in the current CIP demands? What is anticipated into the future?

Vendor Perspective on CIP Compliance

This presentation is from one of the top vendors to the BES and developing the new digital utility revolution.   The vendor necessarily had to review their entire supply chain and is tasked with gaining detailed information on cybersecurity and the ability to prove and demonstrate to regulators their responsible process for such certification.  

  • A review of the program for supplier compliance developed out of the various industry initiatives and now regulatory requirements
  • How did the review project/program evolve and what is the process undertaken to refine the process
  • Who are the stakeholders involved in the process and their contributions?
  • What is the current status of the compliance program?
  • Anticipated changes due to NERC and DOE regulatory requirements as they come in force?

Questions & Answers with the Instructors and a Discussion Among Attendees

Instructors

Scott Crider, Manager, Cybersecurity and Supply Chain, West Monroe Partners

Mr. Crider is a program manager and operational excellence leader with more than 12 years of experience in the field as a cybersecurity practitioner that evaluates critical infrastructure and business development needs, and who demonstrates secure & safe principles and techniques within the Oil & Gas, Nuclear, Bulk Power, Water and Hygiene, Transportation, Clinical Information Systems, and Pharmaceutical/Biotechnology industries.

With a focused understanding of strategic cybersecurity, cyber resilience, and critical infrastructure, he is a results-oriented business professional with proven abilities in strategic planning, managing projects, improving efficiency of operations, team building, and detailing project information to determine effective processes for operations.

Possess extensive knowledge having served 15 different Energy & Utility companies in the Industry; recognized as a leader in capacities of program management, regulatory compliance, cybersecurity, nuclear regulatory commission (NRC) audit inspections, NERC CIP audit readiness, and cyber resilience functions. Positioned as an industry leader who aims to focus his talents on strategizing and implementing industry leading security frameworks and standards (i.e., ANSI/ISA, API, C2M2, CIS 20CSC, ISO, NEI, NERC, NIST, NRC) to advise clients on “right sized” security target operating models, improving security maturities, and postures. 


Roger Yang, Senior Manager, West Monroe Partners

Closely aligned with the Supply Chain practice, Roger has a deep background in turnaround and restructuring. Additionally, his experience as a manager of portfolio companies gives him a unique perspective. He has delivered projects across a wide range of industries, including automotive, aerospace, and consumer electronics industries, as well as healthcare, consumer packaged goods, and banking. Roger’s projects have predominantly focused on strategic sourcing, footprint optimization, and supply chain transformation.


Tony Turner, VP Security Solutions, Fortress Information Security

Tony leads the VSOC managed services team at Fortress helping customers with asset and vulnerability management and threat advisory services and designs many of the technical security solutions at Fortress. He has helped hundreds of companies with strategic and tactical approaches to solving their information security challenges. Tony most recently worked at a network security and vulnerability management vendor, where he led a transformational effort for the Professional Services organization and supported pre-sales activities for all of the Americas.

He has a wealth of experience in helping customers solve challenges around vulnerability management and prioritization, network assurance, and other security and compliance objectives.  He has been the global head of application security at Arrow Electronics and senior security executive for multiple organizations such as GuidePoint Security, Darden Restaurants and Orlando International Airport (MCO).

With over 20 years of consulting and operations experience, he brings a diverse skill set that includes Security Program Development, Business Continuity, Compliance, Incident Response, Penetration Testing and Vulnerability Management, Security Architecture and Network and Application Security.

Tony is a frequent speaker at industry conferences such as SANS, B-Sides, DerbyCon, ISSA, ISACA and others, and is a mainstay of the FL information security community, having founded several security groups and conferences. He holds a Bachelor’s degree from Hodges University in Naples, FL and over 20 security certifications such as CISSP, CISA, GCIH, GCIA, GPEN, GSSP-Java and many others.


Nick Noll, Director, Fortress Security 

Nick Noll is Director of Marketing and Business Development for Fortress Information Security.   Coming to Fortress in June of 2019 Mr. Noll has extensive security experience, physical and cyber.   His background with Symantec Security and in the water industry has led to positions of increasing responsibility in Data Management, Cloud Development and now Cybersecurity.   A graduate of Oral Roberts University, he leads Fortress’ outreach to the bulk electric system from both a Utility perspective and for Vendors.  He also is a co-founder of the Asset 2 Vendor Network, a collaborative to comply with NERC 013 Standards.


Keith Bradley, Partner, Squire Patton Boggs, LLP

Keith Bradley represents companies before US federal and state agencies across a spectrum of regulatory regimes and litigates challenges to administrative and regulatory decisions. As a senior advisor to the General Counsel of the U.S. Department of Energy (DOE), Keith organized the defense of significant regulatory challenges and advised on important department regulatory reforms, such as those in energy conservation and nuclear export controls. He advised on complex DOE transactions, such as decommissioning contracts funded in part by barter arrangements, federal participation in transmission line projects, and more.

Before joining DOE, he was counsel in the Legal Division of the Consumer Financial Protection Bureau, where he helped draft significant regulations, counseled senior agency executives on administrative and constitutional law, and worked with enforcement teams on some of the bureau’s most significant matters. Since leaving DOE, he has served as senior counsel for a corporation in Denver, where he built and ran the compliance management system and helped introduce regulators to the company’s novel business model.


Russ Walsh, Principal Regulatory Compliance Advisor, GE Digital (Invited)

Mr. Walsh has a history of providing advisory services to many large global companies, including Facebook, Hitachi, Cisco, IBM, EY, Yahoo, Apple, Google, SAP, and Salesforce along with countless startups such as Kaiam, Chirpify, Opsware, and Inflexxion.  Specializing in cyber security risk and compliance leadership and he is currently helping GE to build the world’s largest Industrial Internet of Things (IIoT) platform. 

Leading a team of experienced cyber security professionals as GE builds the world’s largest industrial cloud-based computing platform to service the Industrial Internet of Things (IIoT). In this role, I am also responsible for all aspects of Risk and Compliance functions, along with Mergers and Acquisition (M&A) integration.

My Risk Management functions cover full end-to-end processes for risk intake, risk evaluation, risk agreement of facts meetings (AoF), remediation, exception management, validation, and closure. Our compliance frameworks are based on NIST 800-53 to optimize our annual compliance for ISO 27001, 27017, 27018, 9001, along with SOC2, FDA, and FedRAMP.

Online Delivery

We will be using Microsoft Teams to facilitate your participation in the upcoming event. You do not need to have an existing Teams account in order to participate in the broadcast – the course will play in your browser and you will have the option of using a microphone to speak with the room and ask questions, or type any questions in via the chat window and our on-site representative will relay your question to the instructor.

  • You will receive a meeting invitation will include a link to join the meeting.
  • Separate meeting invitations will be sent for the morning and afternoon sessions of the course.
    • You will need to join the appropriate meeting at the appropriate time.
  • If you are using a microphone, please ensure that it is muted until such time as you need to ask a question.
  • The remote meeting connection will be open approximately 30 minutes before the start of the course. We encourage you to connect as early as possible in case you experience any unforeseen problems.

Register

Please Note: This event is being conducted entirely online. All attendees will connect and attend from their computer, one connection per purchase. For details please see our FAQ

If you are unable to attend at the scheduled date and time, we make recordings available to all registrants for three business days after the event

Event Standard RateAttendees

By clicking Accept or closing this message, you consent to our cookies on this device in accordance with our cookie policy unless you have disabled them. more information

By clicking Accept or closing this message, you consent to our cookies on this device in accordance with our cookie policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them. We use cookies during the registration process and to remember member settings.

Close